At first I thought this was one of those IT urban legends, like the “disappearing warehouse” story, but according to Verizon's IT security risk team, it's all true.
A few weeks ago, Verizon wrote on its IT security blog that it was asked to perform a security assessment for a U.S.-based client after the latter was “startled” to discover a live “open and active VPN [virtual private network] connection from Shenyang, China!”
What made the client thoroughly worried about this surprisingly open communication port to China was first that it was a U.S. critical infrastructure company; second, it had two-factor authentication for its VPN connection, which had obviously been breached and, third, “the developer [given the pseudonym “Bob”] whose credentials were being used was sitting at his desk in the office.”
In other words, “the VPN logs showed [the developer] logged in from China, yet the employee is right there, sitting at his desk, staring into his monitor.”
It seemed unlikely that Programmer Bob was manipulating the space time continuum, so the client called Verizon's IT security team hoping for a more realistic explanation.
What Verizon discovered was that someone in China had been using Programmer Bob’s credentials to access the client’s computer systems for quite some time on almost a daily basis. The Verizon risk team theorized that Bob’s desktop workstation software had been somehow breached possibly via some zero day malware. So, the team decided to acquire a forensic image of Bob’s workstation to see if it could uncover this malware as well as how it got onto Bob's workstation.
Instead, what Verizon discovered were “hundreds of .pdf invoices from a third party contractor/developer in (you guessed it) Shenyang, China.”
According to the Verizon account, “As it turns out, Bob had simply outsourced his own job to a Chinese consulting firm. Bob spent less that one fifth of his six-figure salary for a Chinese firm to do his job for him. Authentication was no problem. He FedExed his physical RSA token to China so that the third-party contractor could log-in under his credentials during the workday. It would appear that he was working an average 9 to 5 work day.”
Nothing like exploiting a favorable date/time differential.
Programmer Bob, Verizon says, would spend the morning surfing Reddit for a couple of hours (watching cat videos), then take a long lunch, then spend the afternoon shopping on Ebay and updating his Facebook and LinkedIn. He did diligently return to his day job at the end of each day, to e-mail management on his work progress.
More interestingly, programmer Bob seems to have been able to pull off his outsourcing trick at multiple companies in his area. Exactly how wasn’t explained—I assume Bob didn’t have to be physically present at these other companies.
Verizon calculated that good old Bob looked to be earning “several hundred thousand dollars a year, and only had to pay the Chinese consulting firm about fifty grand annually.”
Even more interestingly—and here's where the blogosphere's ears really perked up—the client thought Bob was a superb employee. “For the last several years in a row he received excellent remarks. His code was clean, well written, and submitted in a timely fashion. Quarter after quarter, his performance review noted him as the best developer in the building.”
Verizon’s blog post naturally stirred up a lot of controversy. Some commenters claimed Programmer Bob was a hoax perpetrated by Verizon, or was in fact a Verizon employee. A later post by Verizon insisted that it was a true story, and that programmer Bob was not a Verizon employee.
What I found interesting was how, for everyone else, the story passed through myriad lenses of literary interpretation. Some saw Programmer Bob as a righteous example, a programmer Robin Hood who exercised the same prerogatives as managers who wantonly outsource jobs to China. This was the general take of an article in the UK Guardian, where Steven Poole wrote that Bob “has learned a harsh lesson: exploitation is a job for employers, not staff.”
Others took a slightly more modern perspective, comparing Programmer Bob to Mark Twain’s Tom Sawyer, who famously talked his friends into painting a fence he was tasked with. In this case, the role of Tom's eloquence was played by the pay differential between UK and Chinese programmers who do the same work (in this case, literally the same).
Even the Financial Times of London saw some merit in Bob's unorthodox arrangement, with popular columnist Lucy Kellaway asking, “If I outsourced my work, would you care?” Kellaway asks what the big deal is—lots of folks effectively outsource their work and no one seems to care. For example, she noted, “No one expects politicians to write their own speeches. We know many academics get their PhD students to do their research for them. Fashion designers don’t generally design their own clothes. Colonel Sanders doesn’t make his own fried chicken—though that is partly because he is dead.”
While tempted to outsource her own column, Kellaway admitted her ego “isn’t strong enough to deal with someone who is better at being me than I am.” That makes her Jerry Maguire to Programmer Bob's Ron Tidwell, the character who periodically shouted, “Show me the money.”
Still others viewed the story in the way that Verizon’s original post intended: a warning about how easy it is for a company’s IT systems to be breached by insiders, and how companies need to watch out for this. Yesterday’s Christian Science Monitor story on Bob’s exploits focused on this security angle.
I am sort of surprised that Bob hasn’t surfaced on daytime television yet. I wonder if it's because Bob, described as being a “mid-40’s software developer versed in C, C++, perl, java, Ruby, php, python, etc.,” a “ family man, inoffensive and quiet,” and “Someone you wouldn’t look at twice in an elevator” forgot to tell the appropriate authorities about his various sources of income.
Given a good lawyer, maybe the same one who helped another American icon, the singer Willie Nelson with his tax problems, perhaps Bob can have his folk hero status certified by Oprah. I, for one, would love to hear more about how he did it, though maybe 60 Minutes would be a better venue for the technical details.
And if Programmer Bob is reading this, you’re always welcome to tell your story here at the Risk Factor. Just don't outsource the interview.
Photo: Miha Perosa/iStockphoto
Contributing Editor Robert N. Charette is an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Along with being editor for IEEE Spectrum’s Risk Factor blog, Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.